Application control

ABSTRACT

A method for controlling application operations on data elements includes identifying an activity by an instance of an application running on a host to perform an operation associated with a data element. The method further includes obtaining an application label which includes information regarding the instance of the application, and obtaining a data element label which includes information regarding the data element. Then, based on a combined analysis of the data element label and the application label, an operational policy governing the operation of the instance of the application with respect to the data element is determined. A control action is applied to the operation, according to the operational policy, so as to control the operation by the instance of the application with respect to the data element.

RELATED APPLICATION

This application claims the benefit of priority under 35 USC §119(e) ofU.S. Provisional Patent Application No. 62/333,988 filed on May 10,2016, the contents of which are incorporated herein by reference intheir entirety.

FIELD AND BACKGROUND OF THE INVENTION

The present invention, in some embodiments thereof, relates tocontrolling operations on data elements and, more particularly, but notexclusively, to policy-based control of operations on data elements.

Controlling access to data is a major concern of the field ofcyber-security. Unauthorized access to data and/or unauthorizedoperations on data may cause significant harm to an organization, suchas dissemination of the data outside the organization.

Many approaches have been developed to protect data against unauthorizedaccess from both inside and outside the organization. For example,firewalls are used to control external access to the local network. Datamay be encrypted so that even if an intruder accesses a data file, itwill not be able to read the data in the file.

In another approach, privileged account management (PAM) systems areused to control access to applications and data by privileged accounts,by mechanisms such as credential management and access policies. Theaccess policy may specify data access permissions for a given account,user or group of users. Additionally, a user may be required to providecredentials (such as a password or secret) in order to access the data.

SUMMARY OF THE INVENTION

Embodiments presented herein use an operational policy to control theoperations performed by an instance or instances of an application withrespect to data elements. The operational policy includes controlmeasures and/or control actions (e.g. protective measures) to be appliedto operations performed by the application instance with respect to thedata element.

The operational policy is determined by analyzing an application labeland a data element label in combination. The application label providesinformation about the application instance. The application label mayinclude information such as uses of the application instance,characteristics of the application instance, metadata associated withthe application instance and so forth. The data element label containsinformation about data element, such as use of the data element,characteristics of the data element and operations performed on the dataelement.

In optional embodiments, the operational policy is additionally based oninformation regarding multiple application instances and/or oninformation regarding multiple data elements (typically data elementswith some common association with a specific data element). Theinformation regarding the additional application instances and/or dataelements may be provided by multiple labels or using labels withaggregated information, as described in more detail below.

As used herein the term “application” means the series of commands (forexample contained in an executable file, script or other) that uponexecution will create an application instance and/or the executioninstance itself. Types of applications include scripts, binaries,loadable modules, services, drivers etc.

As used herein, the term “instance of an application” (also denotedherein “application instance” or “instance”) means a series of commandsthat are actually executed (i.e. running) on the host, usually mapped tomachine memory, represented by a process and/or execution thread andprocessed by the processor.

As used herein, the term “data element” means data which is accessibleto the application instance when permitted by the operational policy.Examples of data elements include data accessible in local storage, on adata server, in the Cloud, etc.

According to an aspect of some embodiments of the present inventionthere is provided a method for controlling application operations ondata elements. The method includes executing program instructions by atleast one hardware processor to:

identify an activity by an instance of an application running on a hostto perform an operation associated with a data element;

obtain an application label which includes information regarding theinstance of the application;

obtain a data element label which includes information regarding thedata element;

determine an operational policy based on a combined analysis of at leastthe application label and the data element label, the operational policygoverning the operation of the instance of the application with respectto the data element; and

apply a control action to the operation according to the operationalpolicy, so as to control the operation by the instance of theapplication with respect to the data element.

According to some embodiments of the invention, identifying the activityby the instance of the running application includes intercepting anattempt by the instance of the application to access the data element.

According to some embodiments of the invention, obtaining an applicationlabel includes:

communicating with a resource associated with the application instance;

receiving information about the application instance from the resource;and

defining the application label based on the received information.

According to some embodiments of the invention, applying the controlaction includes restricting an ability of the instance of theapplication to perform the operation on the data element.

According to some embodiments of the invention, applying the controlaction includes controlling access by the instance of the application tothe data element.

According to some embodiments of the invention, applying the controlaction includes dynamically monitoring operations performed by theinstance of the application on the data element to identify violationsof the operational policy.

According to some embodiments of the invention, applying the controlaction includes collecting audit data for operations performed by theinstance of the application on the data element.

According to some embodiments of the invention, applying the controlaction includes at least one of:

isolating the host from accessing a network; and

isolating the host from being accessible over a network.

According to some embodiments of the invention, applying the controlaction includes triggering an alert.

According to some embodiments of the invention, applying the controlaction includes controlling an operation of at least one other instanceof the application with respect to the data element according to theoperational policy.

According to some embodiments of the invention, the operation is atleast one of: execute, write, read, modify, create and delete.

According to some embodiments of the invention, the method furtherincludes controlling subsequent operations by the instance of theapplication according to the operational policy.

According to some embodiments of the invention, the method furtherincludes dynamically updating at least one of the data element label andthe application label.

According to some embodiments of the invention, the method furtherincludes labeling at least one other data element created by theinstance of the application.

According to some embodiments of the invention, the method furtherincludes: upon determining that credentials are required for performingthe operation, obtaining, based on the operational policy, correspondingcredentials for performing the operation; and

providing the corresponding credentials to the instance of theapplication.

According to some embodiments of the invention, the data element labelincludes an aggregation of information regarding a plurality of dataelements.

According to some embodiments of the invention, the application labelincludes an aggregation of at least one of: information regarding aplurality of applications and information regarding a plurality ofinstances of the application.

According to some embodiments of the invention, obtaining theapplication label is performed before obtaining the data element label.

According to some embodiments of the invention, obtaining theapplication label is performed simultaneously with obtaining the dataelement label.

According to an aspect of some embodiments of the present inventionthere is provided a system configured for controlling applicationoperations on data elements.

The system includes at least one non-transitory computer readablestorage medium storing instructions and at least one processor. The atleast one processor is configured to execute the instructions to:

identify an activity by an instance of an application running on a hostto perform an operation associated with a data element;

obtain an application label which includes information regarding theapplication;

obtain a data element label which includes information regarding thedata element;

determine, based on a combined analysis of at least the data elementlabel and the application label, an operational policy governing theoperation of the instance of the application with respect to the dataelement; and

apply, according to the operational policy, a control action to theoperation, so as to control the operation by the instance of theapplication on the data element.

According to some embodiments of the invention, the at least oneprocessor is further configured to execute instructions to dynamicallyupdate at least one of the data element label and the application label.

According to some embodiments of the invention, the at least oneprocessor is further configured to execute instructions to label otherdata elements associated with the application.

According to some embodiments of the invention, the system resides onone of:

the host;

an endpoint machine;

a plurality of endpoint machines;

a local server accessible via a local network;

a remote server accessible via an external network;

at least one cloud-based asset.

According to some embodiments of the invention, the data element residesin one of:

a local memory of the host;

a local storage unit accessible via a local network; and

a remote storage unit accessible via a remote network.

According to some embodiments of the invention, the at least oneprocessor is further configured to execute instructions to: upondetermining that credentials are required for performing the operation,obtain, based on the operational policy, corresponding credentials forperforming the operation; and

provide the corresponding credentials to the instance of theapplication.

According to some embodiments of the invention, the data element labelincludes an aggregation of information regarding a plurality of dataelements.

According to some embodiments of the invention, the application labelincludes an aggregation of information regarding a plurality ofapplications.

According to some embodiments of the invention, the at least oneprocessor is further configured to execute instructions to control atleast one of: subsequent operations of the instance of the applicationand operations of at least one other instance of the applicationaccording to the operational policy, according to the operationalpolicy.

According to an aspect of some embodiments of the present inventionthere is provided a non-transitory computer readable medium includinginstructions. When executed by at least one processor the instructionscause the at least one processor to perform operations for controllingapplication operations on data elements. The operations include:

identifying an activity by an instance of an application running on ahost to perform an operation associated with a data element;

obtaining an application label which includes information regarding theapplication;

obtaining a data element label which includes information regarding thedata element;

determining, based on a combined analysis of at least the data elementlabel and the application label, an operational policy governing theoperation of the instance of the application with respect to the dataelement; and

applying, according to the operational policy, a control action to theoperation, so as to control the operation by the instance of theapplication on the data element.

According to some embodiments of the invention, the non-transitorycomputer readable medium further includes instructions to dynamicallyupdate at least one of the data element label and the application label.

According to some embodiments of the invention, the non-transitorycomputer readable medium further includes instructions to label otherdata elements associated with the application.

According to some embodiments of the invention, the at least oneprocessor resides on one of:

the host;

an endpoint machine;

a plurality of endpoint machines;

a local server accessible via a local network;

a remote server accessible via an external network;

at least one cloud-based asset.

According to some embodiments of the invention, the data element residesin one of:

a local memory of the host;

a local storage unit accessible via a local network; and

a remote storage unit accessible via a remote network.

According to some embodiments of the invention, the non-transitorycomputer readable medium further includes instructions to: upondetermining that credentials are required for performing the operation,obtain, based on the operational policy, corresponding credentials forperforming the operation; and

provide the corresponding credentials to the instance of theapplication.

According to some embodiments of the invention, the data element labelincludes an aggregation of information regarding a plurality of dataelements.

According to some embodiments of the invention, the application labelincludes an aggregation of information regarding a plurality ofapplications.

According to some embodiments of the invention, the non-transitorycomputer readable medium further includes instructions to control atleast one of: subsequent operations of the instance of the applicationand operations of at least one other instance of the applicationaccording to the operational policy.

According to an aspect of some embodiments of the present inventionthere is provided a method for controlling untrusted applications in asystem environment. The method includes executing program instructionsby at least one hardware processor to:

identify an activity by an instance of an application running on a hostto perform an operation associated with a server;

obtain an application label which includes information regarding theinstance of the application;

determine an operational policy based a combined analysis of at leastthe application label and information pertaining to the server, theoperational policy governing the use and operation of the instance ofthe application with respect to the server; and

apply a control action to the operation according to the operationalpolicy, so as to control the operation by the instance of theapplication with respect to the server.

According to some embodiments of the invention, identifying the activityby the instance of the running application includes intercepting anattempt by the instance of the running application to access the server.

According to some embodiments of the invention, obtaining an applicationlabel includes:

communicating with a resource associated with the application instance;

receiving information about the application instance from the resource;and

defining the application label based on the received information.

According to some embodiments of the invention, applying the controlaction includes restricting an ability of the instance of theapplication to perform the operation on the server.

According to some embodiments of the invention, applying the controlaction includes controlling communication between the instance of theapplication and the server.

According to some embodiments of the invention, applying the controlaction includes dynamically monitoring operations performed by theinstance of the application with respect to the server to identifyviolations of the operational policy.

According to some embodiments of the invention, applying the controlaction includes collecting audit data for operations performed by theinstance of the application with respect to the server.

According to some embodiments of the invention, the informationpertaining to the server includes at least one of:

an Internet Protocol (IP) address associated with the server;

a Uniform Resource Locator (URL) address associated with the server;

a port associated with the server;

a host name associated with the server; and

a communication protocol associated with the server.

According to some embodiments of the invention, the method furtherincludes dynamically updating at least one of the information pertainingto the server and the application label.

According to some embodiments of the invention, the method furtherincludes:

upon determining that credentials are required for performing theoperation, obtaining, based on the operational policy, correspondingcredentials for performing the operation; and

providing the corresponding credentials to the instance of theapplication.

According to some embodiments of the invention, the application labelincludes an aggregation of at least one of: information regarding aplurality of applications, and information regarding a plurality ofinstances of the application.

According to some embodiments of the invention, the method furtherincludes creating a server label which includes at least some of theinformation pertaining to the server, and wherein the determining anoperational policy includes a combined analysis of at least theapplication label and the server label.

According to an aspect of some embodiments of the present inventionthere is provided a system configured for controlling untrustedapplications in a system environment. The system includes at least onenon-transitory computer readable storage medium storing instructions andat least one processor. The at least one processor is configured toexecute the instructions to:

identify an activity by an instance of an application running on a hostto perform an operation associated with a server;

obtain an application label which includes information regarding theinstance of the application;

determine an operational policy based a combined analysis of at leastthe application label and information pertaining to the server, theoperational policy governing the operation of the instance of theapplication with respect to the server; and

apply a control action to the operation according to the operationalpolicy, so as to control the operation by the instance of theapplication with respect to the server.

According to some embodiments of the invention, the at least oneprocessor is further configured to execute instructions to dynamicallyupdate at least one of the information pertaining to the server and theapplication label.

According to some embodiments of the invention, the at least oneprocessor is further configured to execute instructions to:

upon determining that credentials are required for performing theoperation, obtain, based on the operational policy, correspondingcredentials for performing the operation; and

provide the corresponding credentials to the instance of theapplication.

According to some embodiments of the invention, the application labelincludes an aggregation of at least one of: information regarding aplurality of applications, and information regarding a plurality ofinstances of the application.

According to some embodiments of the invention, the at least oneprocessor is further configured to execute instructions to control atleast one of: subsequent operations of the instance of the applicationand operations of at least one other instance of the applicationaccording to the operational policy, according to the operationalpolicy.

According to an aspect of some embodiments of the present inventionthere is provided a non-transitory computer readable medium includinginstructions. When executed by at least one processor the instructionscause the at least one processor to control untrusted applications in asystem environment by:

identifying an activity by an instance of an application running on ahost to perform an operation associated with a server;

obtaining an application label which includes information regarding theinstance of the application;

determining an operational policy based a combined analysis of at leastthe application label and information pertaining to the server, theoperational policy governing the operation of the instance of theapplication with respect to the server; and

applying a control action to the operation according to the operationalpolicy, so as to control the operation by the instance of theapplication with respect to the server.

According to some embodiments of the invention, the non-transitorycomputer readable medium further includes instructions to dynamicallyupdate at least one of the information pertaining to the server and theapplication label.

According to some embodiments of the invention, the non-transitorycomputer readable medium further includes instructions to:

upon determining that credentials are required for performing theoperation, obtain, based on the operational policy, correspondingcredentials for performing the operation; and

provide the corresponding credentials to the instance of theapplication.

According to some embodiments of the invention, the application labelincludes an aggregation of at least one of: information regarding aplurality of applications, and information regarding a plurality ofinstances of the application.

According to some embodiments of the invention, the non-transitorycomputer readable medium further includes instructions to control atleast one of: subsequent operations of the instance of the applicationand operations of at least one other instance of the applicationaccording to the operational policy, according to the operationalpolicy.

According to an aspect of some embodiments of the present inventionthere is provided a method for controlling application operations ondata elements. The method is performed by at least one processor of anendpoint machine configured to run applications and includes:

identifying an attempt by an application running on the endpoint machineto perform an operation on a data element;

obtaining a data element label associated with the application, the dataelement label including information regarding the application;

obtaining an application label associated with the application element,the application label including information regarding the application;

determining, based on the data element label and the application label,an operational policy specifying operation permissions of theapplication with respect to the data element; and

applying, according to the operational policy, a control action to theoperation to control the operation by the application on the dataelement.

According to some embodiments of the invention, applying a controlaction includes at least one of:

permitting the application to perform the operation on the data element;

restricting an ability of the application to perform the operation onthe data element;

permitting the operation;

denying the operation;

controlling access by the application to the data element;

collecting audit data for operations performed by the application on thedata element;

dynamically monitoring operations performed by the application on thedata element to identify violations of the operational policy;

isolating the endpoint machine from accessing a network;

isolating the endpoint machine from being accessible over a network; and

triggering an alert.

According to some embodiments of the invention, the operation is atleast one of: execute, write, read, modify, create and delete.

According to some embodiments of the invention, the method furtherincludes controlling subsequent operations by the application accordingto the operational policy.

According to some embodiments of the invention, the application labelincludes at least one of:

a source of the application;

previous operations performed by the application;

previous sessions of the application;

data elements previously used by the application;

identification of a user permitted to use the application;

identification of a group permitted to use the application;

accounts associated with users of the application;

accounts associated with the application; and

a communication protocol associated with the application.

According to some embodiments of the invention, the data element labelincludes at least one of:

a source of the data element;

a creator of the data element;

an account associated with the data element;

an account that accessed the data element;

a time a previous operation was performed on the data element;

a type of the data element;

a group including the data element;

an application associated with the data element; and

a communication protocol associated with said data element.

According to some embodiments of the invention, the method furtherincludes dynamically updating at least one of the data element label andthe application label.

According to some embodiments of the invention, the method furtherincludes labeling at least one other data element created by theapplication.

According to some embodiments of the invention, the method furtherincludes labeling at least one other data element identified by theapplication.

According to some embodiments of the invention, the determining includesreading a local policy file on the endpoint machine.

According to some embodiments of the invention, the determining includesreading a policy from a network resource accessible from the endpointmachine. According to some embodiments of the invention, the determiningis for an instance of the application with respect to the data element.

According to some embodiments of the invention, the method furtherincludes: upon identifying that credentials are required for performingthe operation, obtaining, based on the operational policy, correspondingcredentials for performing the operation; and

providing the corresponding credentials to the application.

According to some embodiments of the invention, the obtaining anapplication label is for an instance of the application.

According to some embodiments of the invention, the data element labelis an aggregation of information regarding a plurality of data elements.

According to some embodiments of the invention, the application label isan aggregation of information regarding a plurality of applications.

According to some embodiments of the invention, the obtaining of theapplication label is performed before the obtaining of the data elementlabel.

According to some embodiments of the invention, the obtaining of theapplication label is performed simultaneously with the obtaining of thedata element label.

According to an aspect of some embodiments of the present inventionthere is provided a system configured for controlling applicationoperations on data elements.

The system includes at least one non-transitory computer readablestorage medium storing instructions and at least one processor. The atleast one processor is configured to execute the instructions to:

identify an attempt by an application running on an endpoint machine toperform an operation on a data element;

obtain an application label associated with the application, theapplication label including information regarding the application;

obtain a data element label associated with the data element, the dataelement label including information regarding the data element;

determine, based on the data element label and the application label, anoperational policy specifying operation permissions of the applicationwith respect to the data element; and

apply, according to the operational policy, a control action to theoperation to control the operation by the application on the dataelement.

According to some embodiments of the invention, the applying a controlaction includes at least one of:

permitting the application to perform the operation on the data element;

restricting an ability of the application to perform the operation onthe data element;

permitting the operation;

denying the operation;

controlling access by the application to the data element;

collecting audit data for operations performed by the application on thedata element;

monitoring operations performed by the application on the data elementin real-time to identify violations of the operational policy;

isolating the endpoint machine from accessing a network;

isolating the endpoint machine from being accessible over a network; and

triggering an alert.

According to some embodiments of the invention, the at least oneprocessor is further configured to execute instructions to dynamicallyupdate at least one of the data element label and the application label.

According to some embodiments of the invention, the at least oneprocessor is further configured to execute instructions to label otherdata elements created by the application.

According to some embodiments of the invention, the at least oneprocessor is further configured to execute instructions to label otherdata elements identified by the application.

According to some embodiments of the invention, the system resides onthe endpoint machine.

According to some embodiments of the invention, the data element residesin a local memory of the endpoint machine.

According to some embodiments of the invention, the data element residesin a local storage unit accessible via a local network.

According to some embodiments of the invention, the data element residesin a remote storage unit accessible via a remote network.

According to an aspect of some embodiments of the present inventionthere is provided a non-transitory computer readable medium includinginstructions that, when executed by at least one processor, cause the atleast one processor to perform operations for controlling applicationoperations on data elements. The operations include:

identifying an attempt by an application running on the endpoint machineto perform an operation on a data element;

obtaining a data element label associated with the application, the dataelement label including information regarding the application;

obtaining an application label associated with the application element,the application label including information regarding the application;

determining, based on the data element label and the application label,an operational policy specifying operation permissions of theapplication with respect to the data element; and

applying, according to the operational policy, a control action to theoperation to control the operation by the application on the dataelement.

According to some embodiments of the invention, the instructions, whenexecuted by at least one processor, cause the at least one processor toperform a further operation includes: controlling subsequent operationsby the application according to the operational policy.

According to some embodiments of the invention, the instructions, whenexecuted by at least one processor, cause the at least one processor toperform a further operation includes: dynamically updating at least oneof the data element label and the application label.

According to some embodiments of the invention, the determining includesat least one of reading a local policy file on the endpoint machine andreading a policy from a network resource accessible from the endpointmachine.

According to some embodiments of the invention, the instructions, whenexecuted by at least one processor, cause the at least one processor toperform further operations which include:

upon identifying that credentials are required for performing theoperation, obtaining, based on the operational policy, correspondingcredentials for performing the operation; and

providing the corresponding credentials to the application.

Unless otherwise defined, all technical and/or scientific terms usedherein have the same meaning as commonly understood by one of ordinaryskill in the art to which the invention pertains. Although methods andmaterials similar or equivalent to those described herein can be used inthe practice or testing of embodiments of the invention, exemplarymethods and/or materials are described below. In case of conflict, thepatent specification, including definitions, will control. In addition,the materials, methods, and examples are illustrative only and are notintended to be necessarily limiting.

Implementation of the method and/or system of embodiments of theinvention can involve performing or completing selected tasks manually,automatically, or a combination thereof. Moreover, according to actualinstrumentation and equipment of embodiments of the method and/or systemof the invention, several selected tasks could be implemented byhardware, by software or by firmware or by a combination thereof usingan operating system.

For example, hardware for performing selected tasks according toembodiments of the invention could be implemented as a chip or acircuit. As software, selected tasks according to embodiments of theinvention could be implemented as a plurality of software instructionsbeing executed by a computer using any suitable operating system. In anexemplary embodiment of the invention, one or more tasks according toexemplary embodiments of method and/or system as described herein areperformed by a data processor, such as a computing platform forexecuting a plurality of instructions. Optionally, the data processorincludes a volatile memory for storing instructions and/or data and/or anon-volatile storage, for example, a magnetic hard-disk and/or removablemedia, for storing instructions and/or data. Optionally, a networkconnection is provided as well. A display and/or a user input devicesuch as a keyboard or mouse are optionally provided as well.

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWING(S)

Some embodiments of the invention are herein described, by way ofexample only, with reference to the accompanying drawings. With specificreference now to the drawings in detail, it is stressed that theparticulars shown are by way of example and for purposes of illustrativediscussion of embodiments of the invention. In this regard, thedescription taken with the drawings makes apparent to those skilled inthe art how embodiments of the invention may be practiced.

In the drawings:

FIG. 1 is a simplified block diagram of an application control system,according to embodiments of the invention;

FIG. 2 is a simplified network diagram illustrating a configuration ofthe application control system in a network, according to embodiments ofthe invention;

FIGS. 3, 4, 5, 6 and 7 are simplified block diagrams showingconfigurations of an application control system, according to respectiveexemplary embodiments of the invention;

FIG. 8 is a simplified flowchart of controlling application operationson data elements, according to embodiments of the invention;

FIG. 9 is a simplified network diagram illustrating a configuration ofthe application control system in a network, according to embodiments ofthe invention; and

FIG. 10 is a simplified flowchart of controlling operation of untrustedapplications in a system environment, according to embodiments of theinvention.

DESCRIPTION OF SPECIFIC EMBODIMENTS OF THE INVENTION

The present invention, in some embodiments thereof, relates tocontrolling operations on data elements and, more particularly, but notexclusively, to policy-based control of operations on data elements.

Embodiments presented herein use an operational policy to controloperations performed by an instance or instances of an application withrespect to data or data elements. The operational policy applied to theoperations is determined from a combined analysis of an applicationlabel containing information regarding the application instance(s) and adata label containing information about the data element(s). Theoperational policy may specify control measures and/or control actions(e.g. protective measures) to be applied with respect to the dataelement(s).

Embodiments of the invention provide benefits including:

i) The operational policy may be selected and/or built for a specificcombination of application instance(s) and data element(s).

ii) Different operational policies may be applied to different instancesof the same application, even when those instances perform the sameactivity on the same data element.

iii) Embodiments of the invention may be implemented in a manner that iscompletely transparent to a user and/or automated tool on the endpoint.

Before explaining at least one embodiment of the invention in detail, itis to be understood that the invention is not necessarily limited in itsapplication to the details of construction and the arrangement of thecomponents and/or methods set forth in the following description and/orillustrated in the drawings and/or the Examples. The invention iscapable of other embodiments or of being practiced or carried out invarious ways.

The present invention may be a system, a method, and/or a computerprogram product. The computer program product may include a computerreadable storage medium (or media) having computer readable programinstructions thereon for causing a processor to carry out aspects of thepresent invention.

The computer readable storage medium can be a tangible device that canretain and store instructions for use by an instruction executiondevice. The computer readable storage medium may be, for example, but isnot limited to, an electronic storage device, a magnetic storage device,an optical storage device, an electromagnetic storage device, asemiconductor storage device, or any suitable combination of theforegoing. A non-exhaustive list of more specific examples of thecomputer readable storage medium includes the following: a portablecomputer diskette, a hard disk, a random access memory (RAM), aread-only memory (ROM), an erasable programmable read-only memory (EPROMor Flash memory), a static random access memory (SRAM), a portablecompact disc read-only memory (CD-ROM), a digital versatile disk (DVD),a memory stick, a floppy disk, a mechanically encoded device such aspunch-cards or raised structures in a groove having instructionsrecorded thereon, and any suitable combination of the foregoing.

A computer readable storage medium, as used herein, is not to beconstrued as being transitory signals per se, such as radio waves orother freely propagating electromagnetic waves, electromagnetic wavespropagating through a waveguide or other transmission media (e.g., lightpulses passing through a fiber-optic cable), or electrical signalstransmitted through a wire.

Computer readable program instructions described herein can bedownloaded to respective computing/processing devices from a computerreadable storage medium or to an external computer or external storagedevice via a network, for example, the Internet, a local area network, awide area network and/or a wireless network. The network may comprisecopper transmission cables, optical transmission fibers, wirelesstransmission, routers, firewalls, switches, gateway computers and/oredge servers. A network adapter card or network interface in eachcomputing/processing device receives computer readable programinstructions from the network and forwards the computer readable programinstructions for storage in a computer readable storage medium withinthe respective computing/processing device.

Computer readable program instructions for carrying out operations ofthe present invention may be assembler instructions,instruction-set-architecture (ISA) instructions, machine instructions,machine dependent instructions, microcode, firmware instructions,state-setting data, or either source code or object code written in anycombination of one or more programming languages, including an objectoriented programming language such as Smalltalk, C++ or the like, andconventional procedural programming languages, such as the “C”programming language or similar programming languages.

The computer readable program instructions may execute entirely on theuser's computer, partly on the user's computer, as a stand-alonesoftware package, partly on the user's computer and partly on a remotecomputer or entirely on the remote computer or server. In the latterscenario, the remote computer may be connected to the user's computerthrough any type of network, including a local area network (LAN) or awide area network (WAN), or the connection may be made to an externalcomputer (for example, through the Internet using an Internet ServiceProvider). In some embodiments, electronic circuitry including, forexample, programmable logic circuitry, field-programmable gate arrays(FPGA), or programmable logic arrays (PLA) may execute the computerreadable program instructions by utilizing state information of thecomputer readable program instructions to personalize the electroniccircuitry, in order to perform aspects of the present invention.

Aspects of the present invention are described herein with reference toflowchart illustrations and/or block diagrams of methods, apparatus(systems), and computer program products according to embodiments of theinvention. It will be understood that each block of the flowchartillustrations and/or block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, can be implemented bycomputer readable program instructions.

These computer readable program instructions may be provided to aprocessor of a general purpose computer, special purpose computer, orother programmable data processing apparatus to produce a machine, suchthat the instructions, which execute via the processor of the computeror other programmable data processing apparatus, create means forimplementing the functions/acts specified in the flowchart and/or blockdiagram block or blocks. These computer readable program instructionsmay also be stored in a computer readable storage medium that can directa computer, a programmable data processing apparatus, and/or otherdevices to function in a particular manner, such that the computerreadable storage medium having instructions stored therein comprises anarticle of manufacture including instructions which implement aspects ofthe function/act specified in the flowchart and/or block diagram blockor blocks.

The computer readable program instructions may also be loaded onto acomputer, other programmable data processing apparatus, or other deviceto cause a series of operational steps to be performed on the computer,other programmable apparatus or other device to produce a computerimplemented process, such that the instructions which execute on thecomputer, other programmable apparatus, or other device implement thefunctions/acts specified in the flowchart and/or block diagram block orblocks.

The flowchart and block diagrams in the Figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods, and computer program products according to variousembodiments of the present invention. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof instructions, which comprises one or more executable instructions forimplementing the specified logical function(s).

In some alternative implementations, the functions noted in the blockmay occur out of the order noted in the figures. For example, two blocksshown in succession may, in fact, be executed substantiallyconcurrently, or the blocks may sometimes be executed in the reverseorder, depending upon the functionality involved. It will also be notedthat each block of the block diagrams and/or flowchart illustration, andcombinations of blocks in the block diagrams and/or flowchartillustration, can be implemented by special purpose hardware-basedsystems that perform the specified functions or acts or carry outcombinations of special purpose hardware and computer instructions.

Reference is now made to FIG. 1, which is a simplified block diagram ofan application control system in accordance with embodiments of theinvention. FIG. 1 illustrates a centralized embodiment of applicationcontrol system 100, in which all activities are performed by a singleserver or machine. In other embodiments, the functionality of theapplication control system is distributed over multiple machines.

Optionally, application control system 100 includes at least onehardware processor 110 which runs code stored on non-transitory storagemedium 120, thereby causing the processor to perform application controlas described herein.

For clarity, FIG. 1 describes application control system as formed frominteracting components (e.g. label obtainer, analyzer, etc.), eachperforming respective functions. These components may be implemented byany means known in the art (e.g. as a process, script, module, etc.).

Activity Identifier

Activity identifier 130 identifies activities by an instance of anapplication to perform or attempt to perform an operation on a specificdata element or elements. Optionally, a notification of the activity isreceived by application control system 100 from one or more of:

a) The host running the application instance;

b) The machine storing the data element; and

c) A sniffer or other component monitoring network activity.

Activity identifier 130 monitors the application instance. Data obtainedvia this monitoring may be used for purposes such as identifyingactivities by the instance of the application in real time, auditingapplication instance activities and operations, analyzing applicationinstance activities and operations, etc.

Examples of operations which may be performed by an instance of anapplication on data element(s) include but are not limited to:

1) Reading the data element;

2) Modifying to the data element;

3) Deleting the data element;

4) Moving the data element to a different location in the memory;

5) Transferring the data element to a different memory device (e.g. dataserver);

6) Sending the data element over a network.

Optionally, activities by the application instance which may beidentified by activity identifier 130 include but are not limited to:

1) Requesting access to the data element;

2) Requesting access to the machine storing the data element;

3) Attempting to read/modify/delete/move the data element;

4) Using credentials (or a secret) to connect to the machine storing thedata elements;

5) Requesting credentials (or a secret) to connect to the machinestoring the data elements and/or to access the data elements.

In some cases when the application instance starts it is not known whichdata element(s) will be accessed by the application. Optionally, theapplication instance is monitored and attempts by the applicationinstance to access the data element (e.g. file, folder, registry,internet, intranet server, share, etc.) are intercepted. Afterinterception, the data element being accessed by the applicationinstance is known. Further optionally, intercepting the attempt triggersobtaining the data element label for the data element being accessed.

Label Obtainer

Label obtainer 140 obtains the application label (also denoted anapplication tag) associated with the application instance and the dataelement label (also denoted a data element tag) associated with the dataelement.

Optionally, label obtainer 140 obtains the application label bycommunicating with a resource associated with the application instanceand receiving the application label in reply. Alternately oradditionally, label obtainer 140 receives information about theapplication instance from the resource associated with the applicationinstance, and creates and/or updates the application label based on thereceived information about the application instance. Alternately oradditionally, the resource associated with the application instancepushes the application label to application control system 100 (e.g.when the application instance is created).

The resource may be any system and/or network element associated withthe application instance (e.g. accessible over a local or remotenetwork, locally, on the host, etc.) which is capable of providing thelabel and/or some or all of the information required by label obtainer140 in order to create and/or update the application label.

Optionally, label obtainer 140 obtains the data element label byquerying a resource associated with the data element and receiving thedata element label in reply. Alternately or additionally, label obtainer140 receives information about the data element from the resourceassociated with the data element, and creates and/or updates the dataelement label based on the received information. Alternately oradditionally, the resource associated with the data element pushes thedata element label to application control system 100 (e.g. when the dataelement is created or modified).

The resource may be any system and/or element associated with the dataelement (e.g. accessible over a local or remote network, locally, on themachine storing the data element, etc.) which is capable of providingthe label and/or some or all of the information required by labelobtainer 140 in order to create and/or update the application label.Alternately or additionally, the resource associated with the dataelement pushes the data element label to application control system 100.

The application label includes information about the specificapplication instance, and optionally additionally includes informationabout associated application instances. Optionally, the applicationlabel includes parameters used for the application instance and/ormetadata about the application instance. Information which may beincluded in the application label includes but is not limited to:

-   -   a source of the application instance;    -   previous operations performed by the application instance;    -   data elements previously used by the application instance;    -   accounts associated with users of the application instance;    -   accounts associated with the application instance;    -   a creator of the application instance;    -   operations performed by the application;    -   previous sessions of the application;    -   data elements previously used by the application;    -   identification of a user permitted to use the application;    -   identification of a group permitted to use the application;    -   accounts associated with users of the application;    -   accounts associated with the application; and    -   a communication protocol associated with the application (e.g. a        protocol which facilitates operations performed by the        application).

Optionally, the application label is dynamically updated.

The data element label includes information about a specific dataelement, and optionally also includes information about associated dataelements. Information which may be included in the data element labelincludes but is not limited to:

Optionally, the data element label includes one or more of:

-   -   a source of the data element;    -   the location of the data element;    -   an account associated with the data element;    -   an account that accessed the data element;    -   a time a previous operation was performed on the data element;    -   a type of the data element;    -   a group including the data element;    -   an application type associated with the data element; and    -   a communication protocol associated with the data element (e.g.        a protocol which facilitates the communication and transfer of        data elements).

Optionally, the data element label is dynamically updated (e.g. toinclude information about new data elements that are identified by theapplication instance and/or that are created by the applicationinstance).

Optionally, data elements associated with (e.g. created by) theapplication instance are labeled with respective data labels.

Optionally, data elements identified by the application instance arelabeled with respective data labels.

Analyzer

Analyzer 150 analyzes the application label and data element label incombination in order to determine an operational policy. The operationalpolicy governs the operation of the application instance with respect tothe data element(s). As used herein, the term “operation of theapplication instance with respect to the data element(s)” includesoperations performed by the application instance on and/or using thedata element(s), and/or the use of the application instance with respectto the data element(s).

Optionally, the operational policy sets limitations on how theapplication instance and/or data element may be used, for example:

a. Boundary enforcement (e.g. prevent files from the Internet from beingcopied to network file shares and/or prevent files from the internalnetwork from being accessed by a web browser); and

b. Permission enforcement (e.g. prevent non-admin users from changingapplications or data elements).

Controller

Controller 160 applies a control action (or actions) to control theoperation performed by the application instance on the data element, sothat operations associated with the data element are consistent with theoperational policy.

Since the operational policy is associated with a specific combinationof application instance and data element, the operational policy appliedto operations on the same data element(s) may be different for eachapplication instance. Thus operational policies may allow operations byone application instance on a specific data element but deny operationson the same data element by a different application instance. Forexample, the operational policy allows an application instance runningon a host within an organization to edit a given document whereas anapplication instance running on a host outside the organization is onlybe allowed to view the document. In another example, the operationalpolicy specifies different types of access to sensitive resources and topublic resources (e.g. an Internet Explorer instance connected to asensitive corporate Intranet Server will be isolated from a differentInternet Explorer instance which is connected to the public Internet).

Optionally, operational policies are stored internally in theapplication control system. Alternately or additionally, operationalpolicies are obtained by the application control system from an externalpolicy manager or repository.

In order to ease management, operational policies may be defined morebroadly than for a specific application or data element, so that asingle policy may be used to manage of groups of applications (such as“all Microsoft Office applications”) and/or groups of data elements(such as “all data from the Internet”).

Optionally, the operational policy takes into account the label history(for application labels and/or data element labels), where the termhistory means a combination of labels of previous operations.

Optionally, the applied control action includes at least one of:

-   -   permitting the application to perform the operation on the data        element;    -   restricting an ability of the application to perform the        operation on the data element;    -   permitting the operation;    -   denying the operation;    -   controlling access by the application to the data element;    -   collecting audit data for operations performed by the        application on the data element;    -   monitoring operations performed by the application on the data        element in real-time to identify violations of the operational        policy;    -   isolating the host from accessing a network;    -   isolating the host from being accessible over a network;    -   denying the application instance from using credentials;    -   issuing and/or providing credentials enabling the operation to        the application instance; and    -   triggering an alert.

Optionally, the access control system controls subsequent operations bythe application according to the operational policy.

The control action may be performed by any means known in the art. Forexample, control actions that involve isolating the host may beimplemented by a driver on the host machine and/or by applying afirewall configuration which blocks network access by the host.

Network Interface

Optionally, application control system 100 includes network interface170 for communicating over a network. Network interface 170 may be usedto communicate with one or more of:

a) Host computers running applications;

b) Data servers (or other machine storing data elements);

c) Label database maintaining data element labels and/or applicationlabels; and

d) Account management system managing account privileges and/orcredentials.

Reference is now made to FIG. 2, which is a simplified network diagramof an application control system in network communication with a hostand data server, according to embodiments of the invention. In thenon-limiting embodiment of FIG. 2, application control system 200, host210 and data server 220 reside on separate machines and communicate overnetwork 230. Other exemplary configurations are illustrated in FIGS.3-6.

Host 210 is the machine which runs application instance 215. Optionally,a single host runs multiple instances of the same application. Forexample, the file “notepad.exe” may be run multiple times on a Windowsmachine; that is multiple processes are created, each providing aseparate instance. Additionally or alternately, different instances ofthe same application may run on different respective hosts. Eachinstance of the application may run with different respectiveparameters. For example some instances may be executed at a differenttime than other instances, run under a different account, performdifferent operations etc.

Optionally, host 210 also runs application label generator 216, whichmaintains respective labels for application instances, as required. Forexample, application label generator 216 may generate a respectiveapplication label 202 when the application instance is created.Alternately, application label generator 216 may generate theapplication label 202 when prompted by application control system 200.

Data server 220 stores data element(s) 225. The data element may be:

i) Locally available data, for example residing in a local memory orstorage located on-premises, or associated with on-premises softwareinstalled and run on local resources or computers.

ii) SaaS-based data that is centrally hosted at a remote facility thatis commonly referred to as software as a service, or computing in thecloud.

Alternately or additionally, data element(s) are stored locally in thehost running the application instance.

Optionally, data server 220 also runs data label generator 226 whichgenerates and/or maintains respective labels for data elements.

Application control system 200 analyzes data element and applicationlabels in order to determine the relevant operational policy. FIG. 2shows the non-limiting embodiment in which operational policy 205 isstored on and/or generated by application control system 200.Alternately or additionally, the operational policy may be retrievedfrom an external policy repository or selected from policies stored ondata server 220.

Upon identifying an activity by application instance 215 to perform anoperation on data element 225 (for example an attempt to read or modifydata element 225), application control system 200 obtains labels forapplication instance 215 and data element 225. In an exemplaryembodiment, the activity by application instance 215 is detected by anelement (such as a sniffer) on network 230 which monitors networkcommunication (e.g. between host 210 and data server 220). Optionally,the network element ensures that the relevant application instance labeland data element label 201 are provided to application control system200.

Application control system 200 analyzes the application label 202 anddata element label 201 in combination and determines which operationalpolicy should be used. Based on operational policy 205, a control actionis applied.

Optionally, application control system 200 obtains the data elementlabel 201 and/or the application label 202 from label repository 240.

Optionally, the access control system performs, or assists in,credential management. Further optionally, upon identifying thatcredentials are required for performing the operation, correspondingcredentials for performing the operation are obtained based on theoperational policy. The corresponding credentials are provided to theapplication instance.

Optionally, the credentials are issued by:

a) Proxying a connection with a secure storage;

b) Providing the credentials directly from a secure storage; or

c) Communicating with an authentication server and causing theauthentication server to inject the credentials to the applicationinstance.

FIGS. 3-7 illustrate exemplary configurations for an application controlsystem, according to exemplary embodiments of the invention. Theapplication label and the data element label may obtained by theapplication control system by any means known in the art (including butnot limited to the embodiments described herein).

In FIG. 3, application control system 300 is external to host 310 andcontrols host 310 remotely over network 330. In one exemplaryembodiment, application control system 300 resides on at least one localserver accessible via a local network. In a second exemplary embodiment,application control system 300 resides on at least one remote serveraccessible via an external network. In another exemplary embodiment,application control system 300 resides on at least one at least onecloud based asset.

FIG. 4 illustrates an alternate exemplary embodiment in whichapplication control system 400 resides on host 410 and applies theoperational policy internally. Optionally, application control system400 obtains the application label internally. Alternately oradditionally the application label is provided by an external element(not shown). Data element(s) operated on by application 420 may bestored on host and/or accessed over a network from another location.

In FIG. 5, data element 530 (on which application instance 520 isattempting to perform an operation) is fetched by host 510 from anotherlocation. For example, the data element may be fetched from a localstorage unit accessible via a local network or from a remote storageunit accessible via a remote network.

In FIG. 6 application control system 600 applies the operational policyat host 610 remotely. Data element 640 (on which application instance620 is attempting to perform an operation) is stored in a local memoryon host 610.

In FIG. 7, data element 720 (on which application instance 740 isattempting to perform an operation over network 750) is stored on memory710 (where the term memory denotes any machine capable of storing dataelement). Application control system 700 resides one memory 710 andapplies operational policy 705 internally at memory 710.

Reference is now made to FIG. 8, which is a simplified flowchart ofmethod for controlling application operations on data elements,according to embodiments of the invention. Optionally, the method isperformed by an application control system in accordance withembodiments described herein.

Optionally, an instance of an application running on a host (e.g. anendpoint machine) is monitored. Non-limiting examples of aspects of theapplication instance which may be monitored include, but are not limitedto, operations performed by the application instance itself, operationsby associated application instances, network communication by theapplication instance, data created/modified/deleted by the applicationinstance, etc.

In 810, an activity by the running application instance to perform anoperation associated with a data element is identified. Optionally, theoperation on the data element is one of: execute, write, read, modify,create and delete.

In 820, an application label associated with the instance of theapplication is obtained. The application label includes informationregarding the application instance (and optionally information aboutother instances of the application).

Optionally, the application label is an aggregation of informationregarding multiple instances of the application. Exemplary embodimentsof aggregating information from many application instances into a singleapplication label are described below.

In 830, the data element label associated with the data element isobtained. The data element label includes information regarding the dataelement. Optionally, the data element label is an aggregation ofinformation regarding multiple data elements.

In 840, an operational policy is determined based on a combined analysisof the data element label and the application label. The operationalpolicy governs the operation of the application instance with respect tothe data element (e.g. specifies operation permissions of theapplication with respect to the data element).

Optionally, the application control system obtains multiple applicationlabels and/or multiple data element labels, and the analysis is based ona combination of the application labels and/or the data element labels.

Optionally, different operational policies are specified with respect tothe data element for different instances of the application. Thecombined analysis of the data element label with the application labelof a first instance of the application may yield one operational policywhereas the combined analysis of the data element label with theapplication label of a second instance of the application may yield adifferent operational policy.

Optionally, the operational policy is determined by reading a localpolicy file on the host. Alternately or additionally, the operationalpolicy is determined by reading a policy file from a network resourceaccessible from the host.

Optionally, the application label and/or the data element label maycontain no data. The absence of data in a label may itself be a factorwhich is used to determine the operational policy.

In 850, the application control system controls the operation performedby the application on the data element by applying at least one controlaction to the operation. The control action(s) are specified by theoperational policy.

The timing and sequence of obtaining the application label and the dataelement label (820 and 830) are not necessarily dependent, as long asboth the application label and the data element label are available todetermine the operational policy used to control the operation. FIG. 8shows an optional embodiment in which the application label and the dataelement label are obtained in parallel. Alternately, the applicationlabel and the data element label are obtained in sequential order (e.g.first the application label and then the data element label).

Optionally, auditing data is collected for the purpose of monitoring andauditing operations by application instances.

Optionally, activity in the network is monitored by following the labelson the data elements.

Policy Manager

Optionally, the application management system includes or communicateswith a policy manager which manages the operational policies. The policymanager may run on any network component which allows it to perform itsfunctions, for example a server in an internal network or a Cloudserver. Optionally the policy manager manages one or more of:

a) Operational policy distribution;

b) Collecting policy audit information;

c) Generating an alert of an attempt to access the information resourcein a way not specified or permitted by the operational policy;

d) Providing a user interface, for example to enable the user to createthe policies. Optionally the policy manager includes pre-definedtemplates.

e) Managing the configurations of software agents, such as agentsimplementing the operational policy determination and/or labeling and/orcontrolling operations according to the operational policy.

Application Label for Multiple Application Instances

Optionally, the analysis which determines the operational policy isbased on information regarding multiple instances of the application.The operational policy governs the operation of a particular applicationinstance running on a host. In other words, the analysis used todetermine the operational policy for a particular application instancemay be based on information from multiple application instances, notonly information about the specific application instance performing theactivity and the specific data element on which the operation is to beperformed.

The application instances may be running on the same host (e.g. endpointmachine) or on different hosts. Optionally the multiple applicationinstances are correlated in some way, for example if they performoperations on the same specific data element or on data elementsassociated with the specific data element.

The information from multiple hosts may come in the form of data and/ormetadata about the applications and/or application labels.

Optionally, in order for the application label to include informationfrom multiple host machines the labels are shared amongst the hosts.

In some embodiments, the labels are shared amongst the hosts using alabel server which generates application and/or data element labels.Labels may be generated for applications running on multiple hosts inthe network, whether on a regularized basis, according to some definedlogic or on some other basis. Alternately or additionally, the labelserver may generate a data label containing information about dataelements stored on multiple storage units.

The label server is optionally configured to maintain a registry ofavailable and/or relevant labels (application and data element labels)in the network. Optionally, the registry is external; for example,implemented in the form of a “Master” server in a containersenvironment. In other Cloud environments it may be on the Cloudmanagement component. In on-premise environments the registry may be acentral application registry or software/inventory management module.

Optionally, when multiple application labels and/or multiple dataelement labels are used, determining the operational policy includes:

a) Receiving multiple labels at the decision point (e.g. an applicationcontrol system) and performing the analysis based on those multiplelabels; and/orb) Enriching existing labels with information from other labels, so thatat the decision point the analysis is performed using just two labels, asingle application label and a single data label.

Optionally, the data element label includes information indicating whichapplications and/or application instances accessed the data element,and, optionally, when and/or for what purpose the data element wasaccessed. When the data element label includes this information, it maynot be necessary to collect information from multiple applicationinstance labels. For example, the fact that many users sent the samedocument by mail will be reflected in the document's data element labeland will thus be available when the operational policy is determined andapplied to the next attempt by an application instance to access thedata element.

Utilizing multiple application labels or an aggregated application labelto determine the operational policy is when hosts of other applicationinstances do not communicate with the data element (e.g. a particulardocument) but it is desired to include them in the decision. For examplethe operational policy may specify “only allow access if there are lessthan five instances of application labeled X running in the network”.This scenario may be particularly appropriate for complex environmentssuch as the Cloud or Containers.

In an exemplary embodiment, when an application instance attempts toperform an operation on a data element, application instance labels arecollected for other application instances (e.g. from respective hosts)before determining the operational policy. In order to facilitate thiscollection, a registry of other application instances in the environmentmay be maintained, optionally with a mapping of relevance (e.g. whichlabels to collect for making the decision).

Optionally, the label server publishes labels to multiple hosts in thenetwork. The publishing of labels may vary from one implementation toanother and from one system environment to another. For example, thelabels may be published whenever a new application label and/or dataelement label is generated or when a ‘sensitive’ label or ‘possiblysuspicious’ label is generated. The labels may be published to all hostsor only to relevant hosts.

Operational Policy for Controlling the Operation of UntrustedApplications in a System Environment

Some embodiments of the instant invention use an operational policy tocontrol operations by an instance of an application with respect to aserver. In such embodiments the operational policy is determined basedon a combined analysis of the application label and informationpertaining to the server. Some embodiments of using an operationalpolicy to control operations by an instance of an application withrespect to a server are described below. However the scope of theinvention is not limited to the embodiments described below, butencompasses all applicable embodiments described above with respect tothe controlling operations to data elements, where the combined analysisis based on the application label and information pertaining to theserver and the control action is applied according to said operationalpolicy to control the operation by the application instance with respectto the server.

Reference is now made to FIG. 9, is a simplified network diagramillustrating a configuration of the application control system in anetwork, according to embodiments of the invention. FIG. 9 correspondssubstantially to FIG. 2, however in the embodiments of FIG. 9application control system 900 performs the combined analysis on theapplication label and data pertaining to server 920.

Optionally the information pertaining to the server includes, but is notlimited to, one or more of:

a) a communication protocol associated with the server;

b) an Internet Protocol (IP) address associated with the server;

c) a port number indicative of a location of the server;

d) a port number associated with the server;

e) a host name associated with the server; and

f) a Uniform Resource Locator (URL) address.

For example, the operational policy may restrict communication betweenan application instance and the server to a specific protocols, such asthe Hypertext Transfer Protocol (HTTP) communication protocol. When anattempt by an application instance to communicate with a differentprotocol is identified, the application control system may deny (orotherwise restrict) the connection.

Optionally, the application instance runs on host 910 (as shown).Alternately or additionally, the application instance runs on server 920(not shown).

Reference is now made to FIG. 10, which is a simplified network diagramillustrating a configuration of the application control system in anetwork, according to embodiments of the invention. FIG. 10 correspondssubstantially to FIG. 8, however in the embodiments of FIG. 10 in 1030the obtained information pertains to the server. Additionally, in 1050the control action applied according to the operational policy controlsthe operation by the application instance with respect to the server.

Optionally, identifying the activity by the application instanceincludes intercepting an attempt by the instance of the runningapplication to communicate with the server and/or intercepting anattempt by the instance of the running application to access the server.

Optionally, the applied control action includes one or more of:

a) permitting the instance of the application to perform the operationon the server;

b) restricting an ability of the instance of the application to performthe operation on the server;

c) denying the operation;

d) controlling access by the instance of the application to the server;

e) collecting audit data for operations performed by the instance of theapplication on the server;

f) monitoring operations performed by the instance of the application onthe data element in real-time to identify violations of the operationalpolicy;

g) isolating the host from accessing a network;

h) isolating the host from being accessible over a network;

i) isolating the host from the system environment of the target machine;and

j) triggering an alert.

The control action may be performed by any means known in the art. Forexample, control actions that involve isolating the host may beimplemented by a driver on the host machine and/or by applying afirewall configuration which blocks network access by the host.

Use Cases

Following are three use cases illustrating exemplary embodiments of theinvention.

Use Case 1—Ransomware Protection Policy

Ransomware is a form of malware designed to infect machines, encrypt asmany files as possible and hold the decryption key for ransom until thevictim submits the required payment. Most anti-malware andanti-ransomware solutions today focus on blocking malware at the pointof inception. These solutions may be helpful when it is known what tolook for, but when it comes to ransomware there are new variants comingout every day. It is extremely difficult to stay ahead of the attackersand block all variations of ransomware from entering a network.

The solution provided by exemplary use case 1 is based on an operationalpolicy denoted the Ransomware Protection Policy (RPP) that is applied tooperations by the running application instance. The RansomwareProtection Policy protects files and documents from ransomware, and maybe suitable of other types of known or yet to be known malware.

The RPP controls operations and/or access by the application instance tothe specified files. For example, the RPP may identify known trustedapplications. Control actions are applied to allow access to the dataelement by instances of known trusted applications while access by otherapplication instances is controlled (whether limited or restricted orother, according to the specific implementation). By limiting access byunknown (potentially ransomware) applications to the document files,document files are protected from a ransomware attack.

The RPP controls operations of an application instance based oninformation obtained from the application label(s) and/or data elementlabel

Optionally, the application label includes information one or more of:

i) Application file location, checksum, name, owner, version, productname, description, publisher, runtime arguments, etc.

ii) Application source (e.g. installed by Microsoft System CenterConfiguration Manager, installed from the package downloaded from thespecific URL, specific organizational network share, removable device,received by email, copied from another computer, installed by thespecific user group, etc.).

iii) Account using the application instance;

iv) Operations performed by the application instance;

v) Creator of the application; and

vi) Communication protocol associated with the application.

Optionally, the data element label includes one or more of:

i) Specific file types (e.g. all the Microsoft Office files);

ii) Specific location of the data element (e.g. all the Microsoft Officefiles located on all the organizational shares and local disks);

iii) The source of the data;

iv) Application type associated with the data element;

v) Communication protocol associated with the data element; and

vi) Accounts which accessed the data element.

Optionally, the RPP is implemented on the kernel mode drivers (e.g.“Windows File System Minifilter Driver” for file system/registry accesscontrol and/or “WFP—Windows Filtering Platform Driver” for networkaccess control).

Some ransomware uses a well-known (possibly trusted) application toaccess and encrypt the data files (e.g. the malware runs cmd.exe andencrypts the files using commands passed to cmd.exe, or injects themalicious code to the memory of the running Microsoft Word application).In order to protect the data elements from such ransomware, theRansomware Protection Policy may include the additional protection rulessuch as:

i) Protect the trusted application from any kind of injection from theuntrusted application (e.g. restrict the access to the memory of thetrusted running application instance from any unknown untrustedprocess); and/or

ii) Protect the specified data files from the access by the trustedapplication if the current application instance (process) is compromised(e.g. the trusted application was launched by some unknown untrustedapplication).

Optionally, the Ransomware Protection Policy includes the specificsettings for auditing ransomware attacks, logging attempts to access thefiles and/or end-user notifications about such events.

Use Case 2—Server Access by Untrusted Application Protection Policy

The most sensitive data in most organizations is often located on theorganizational servers (placed on premise or on the Cloud). The majorpurpose of many types of malicious software is to get access to theorganization's data and to steal the sensitive information. Use case 2deals with application to server control, in order to protect the serverfrom access by and/or operation with untrusted applications. Thisprotection may include controlling the operation of an application on aparticular server, including interaction and communication of anapplication instance with respect to a particular server.

The solution provided by the exemplary use case is based on anoperational policy denoted the Server Protection Policy (SPP). Accordingto the SPP only trusted known application instances may access theprotected server. Any network access of the protected server by anunknown untrusted application instance is blocked.

In an exemplary embodiment, the SPP determined based on the informationspecified in the application label and information pertaining to theserver (e.g. as shown in FIG. 10).

The SPP may be applied to control operations by an application instance,based on information and data included in one or more application labelsincluding but not limited to:

i) Application file location, checksum, name, owner, version, productname, description, publisher, runtime arguments, etc.

ii) Application source (e.g. installed by Microsoft System CenterConfiguration Manager, installed from the package downloaded from thespecific URL, specific organizational network share, removable device,received by email, copied from another computer, installed by thespecific user group, etc.).

iii) Account using the application instance;

iv) Operations performed by the application instance;

v) Creator of the application; and

vi) Communication protocol associated with the application.

The SPP includes the appropriated server set (assigned to the specificapplication instance) defined by the hostname, IP, location, URL, etc.In the context of the use case 2, these servers are considered dataelements. This type of information about the identity of the server maybe specified and obtained from the application label and/or may bespecified in the request for connection or operation.

The SPP controls the network operation and/or access of the requestingapplication instance to the specified servers. For example, any networkaccess initiated by the trusted application instance is allowed whereasany network access initiated by any other application instance iscontrolled, restricted or completely blocked.

The appropriate SPP is applied on the application instance's launch(e.g. launch of an application instance running on an endpoint machine).All the active policies are considered in order (sorted by thepriority). Once the launched application instance is matched by somepolicy, the appropriate restriction rule is activated. In one example,the Windows Filtering Platform Driver (WFP) is used for the networkaccess control. Using the WFP driver, the network connection from theapplication instance to the appropriate server is blocked.

Non-limiting examples of SPPs include:

i) Allow Microsoft Outlook to connect to Microsoft Exchange servers; and

ii) Allow signed by Microsoft Corporation and Adobe Systems applicationinstances to connect to SharePoint Servers.

An additional protection layer may be added to the Server ProtectionPolicy. Since the trusted application instance is allowed to connect tothe sensitive servers, specific trusted application instances may beisolated from the environment (e.g. local/network storage, publicinternet, removable devices, etc.). This protects the informationaccessed by the trusted application instance. Examples include but arenot limited to:

i) Protect the specific Microsoft Word process connected the MicrosoftSharePoint server to save any documents locally or to upload them to thecloud; and

ii) Isolate the specific Microsoft Internet Explorer instance connectedto the sensitive Intranet Server from the public Internet.

Some types of malicious software use a well-known (usually trusted)application instance to connect to the servers in order to steal theinformation. To protect the servers from such malware the ServerProtection Policy may include additional rules including but not limitedto:

a) Protect the trusted application instance from any kind of injectionfrom the untrusted application (e.g. restrict the access to the memoryof the trusted application instance from any unknown untrusted process);and

b) Protect the specified servers from the network access by the trustedapplication instance if the current application instance (process) iscompromised (e.g. the trusted application instance was launched by someunknown untrusted application).

Optionally, the SPP includes the specific settings for auditing malwareattacks, logging attempts to access a protected server and/or end-usernotifications about such events.

Use Case 3—File Forwarding by Trusted Application Protection Policy

There are many applications designed for communications andconversations (e.g. email clients, messengers, etc.) that may attach andforward messages, documents, files and other items. In some cases it isimportant to prevent such applications from sending sensitive files(e.g. out of the corporate perimeter). Since the applications areallowed and trusted, they cannot be restricted using a RansomwareProtection Policy.

Use case 3 deals with controlling the operation and use of theapplication instance with specific data elements outside of theorganizational perimeter (for example interacting and communicating withother systems and services that are outside the organizationalperimeter). This protects sensitive message, data, files and the likefrom being distributed outside of the organizational perimeter.

The solution provided by use case 3 is based on an operational policydenoted the File Forwarding/Distribution Protection Policy (FFPP).According to the FFPP specific trusted application instances may be runnormally but they are not allowed to access the protected files.

The FFPP controls operations by an application instance based oninformation and data included in the application and data elementlabels. Access by the application instance to the specified files iscontrolled as defined in the policy (e.g. restricted, blocked, etc.)

Application labels optionally contain information and data including butnot limited to, for example, combinations of:

i) Application file location, checksum, name, owner, version, productname, description, publisher, runtime arguments, etc.;

ii) Application source (e.g. installed by Microsoft System CenterConfiguration Manager, installed from the package downloaded from thespecific URL, specific organization's network share, removable device,received by email, copied from another computer, installed by thespecific user group, etc.);

iii) Account using the application instance;

iv) Operations performed by the application instance;

v) Creator of the application; and

vi) Communication protocol associated with the application.

Data element labels optionally contain information and data includingbut not limited to combinations of:

i) Specific file types (e.g. all the Microsoft Office files); and

ii) Specific locations (e.g. all the Microsoft Office files located onall the organization shares and local disks).

For example the FFPP may:

i) Prevent Microsoft Outlook to attach any files from the local disk ornetwork share to the outgoing emails; and

ii) Allow Skype in the organization for the messages only, whereas nofiles are allowed to be forwarded using Skype.

Optionally, the FFPP includes the specific settings for auditingattempts to forward the sensitive files and/or end-user notificationsabout such events.

In an exemplary embodiment with multiple hosts, the FFPP is determinedbased on an analysis of multiple application labels (from multiplehosts) in combination. For example, sending a document out from theorganization may be permitted. However if a trend is identified ofsending documents of the same type and from the same source and to thesame recipient at different hosts such sending operations will beblocked or restricted. This type of control may not be effective basedon an analysis of labeled data (e.g. application label and data elementlabel) on a single host but an analysis of labeled data from multiplehosts gives additional context and relevant control.

Exemplary Embodiment in Microsoft System Environment

In an exemplary embodiment, the control action is applied usingMicrosoft kernel mode and user mode hooking tools such as:

1) File System—Microsoft File System Minifilter kernel driver may beused to control the access to the file system (open file/folder, createfile/folder, change file/folder attributes, rename/delete file/folder,etc.);

2) Registry—Microsoft Filtering Registry Calls kernel driver may be usedto control the access to the Registry (read/write/create/delete/changeattributes of the registry keys and values);

3) Network—Microsoft Windows Filtering platform API may be used tocontrol the access to the Network (incoming and outgoing networkconnections);

4) Process Execution—Microsoft Process start/stop filtering kernel APImay be used to control the process executionPsSetCreateProcessNotifyRoutineEx; and

5) Specific Windows API calls—Microsoft Detours software package (usermode hooks) may be used to control any specific Windows API call of therunning application.

These tools enable controlling the access of any process running on thehost to data element(s), and optionally to other resources, according tothe operational policy. We intercept the application instance (e.g.process) that is launching, check active operational policies and applythe operational policy with the highest priority that matches theprocess that is launching.

Examples of control actions which may be applied with these toolsinclude but are not limited to:

a) Denying, restricting or approving the operation. For example,blocking attempts to: read a file, to modify a file, to execute aprogram, to read/modify a registry key or value, to connect to someIP/hostname, to access the memory of some process, etc.;

b) Isolating the application instance from the system environment of thehost and/or from the system environment having access to the dataelement; and

c) Resetting the host.

Exemplary Implementation

An exemplary implementation of the invention involves the following mainelements (A-E), as described below.

A. Application labeling process—a process which labels instances of anapplication.

B. Data labeling process—a process which labels data or data elements.

For the application labeling process and/or the data labeling processthe labeling may be performed at a different server or machine (forexample, by identifying or in any discovery of existing applications anddata on the disk). Optionally, the labeling is performed in real-time ina localized manner on the server, or system of the invention. Forexample, in any attempt to create or write to a new or existing datafile on the disk.

C. Operational policy—defines allowable and/or permitted operationand/or use of the data elements with the application instance. Theoperational policy is determined based on a combined analysis of theapplication and data element labels.

In the exemplary implementation, the operational policy governs the useand/or operation of a specific application instance with respect tospecific data elements. For example:

a) Defining from which machine or service or device, and/or via whichserver and/or from which location, the application instance may run fromor operate on;

b) Defining from which account and/or with which credentials theapplication instance may operate;

c) Defining which data elements and/or which type of data may be usedand in what manner it may be used (for example accessed, uploaded,downloaded, shared) by a particular application instance.

Optionally, the operational policy is determined and/or defined and/orupdated at a separate location from the host (e.g. a network server)according to the system requirements.

D. Applying the Operational Policy—Controlling the use and/or operationof an application instance on the host with respect to particular dataelement(s) based on the operational policy. Non-limiting examplesinclude:

a) Controlling use and operation of an application with different data;

b) Controlling different instances of the same application;

c) Denying or approving the operation of the application with respect tothe particular data and/or the use of data from the applicationinstance;

d) Monitor/create/audit/control operations by restricting or limitingthe use of the data elements with the application;

e) Blocking the application instance;

f) Stopping or isolating the host (when assumed to be compromised).

E. Providing credentials (optional)—Providing the correspondingcredentials for operating and/or using of application instance with thespecified/requested data. The credentials may be provided, for example,by a credentialing system such as the vault or from a local orexternally fetched file.

Optionally, aspects of the exemplary implementation are implementedusing one or more software agents, for example designed in the form of akernel driver in the operating system of the operating system (OS) onthe host.

In a specific example for a Microsoft Windows environment, the accesscontrol system is implemented as two software agents, the ApplicationControl (AC) Driver and the Application Control (AC) Agent. The ACDriver and AC Agent interact as follows:

1. AC Driver intercepts process start and synchronously passes the flowto AC Agent service

2. AC Agent matches process parameters with policy parameters

3. AC Agent retrieves outbound credentials (user name, domain name andpassword) that should be used according to the matching operationalpolicy. E.g. the credentials could be received from a credential vault.

4. AC Agent impersonates the process user and then calls LogonUser APIpassing LOGON32_LOGON_NEW_CREDENTIALS logon type flag. LogonUser APIcreates new Logon Session for the logged-on user and attaches theprovided outbound credentials to the Logon Session.

MSDN: LOGON32_LOGON_NEW_CREDENTIALS—This logon type allows the caller toclone its current token and specify new credentials for outboundconnections. The new logon session has the same local identifier butuses different credentials for other network connections.

5. AC Agent assigns the new access token to the process and returns theflow to AC Driver

6. When the process accesses local resources it is authenticated basedon the current logon user access token. There are no changes in theprocess behavior when it accesses local resources.

7. When the process accesses remote network resources (e.g. networkshare, Web Server using Windows Authentication, etc.) it isauthenticated with the new outbound credentials. For example:

1) The system identifies need for credentials for operating or using theapplication with the specific data

2) The system automatically gets the appropriate credentials from theVault

3) The system attaches the appropriate security tokens to the end-userapplication instance—Microsoft Office

These embodiments provide a solution on the endpoint that is completelytransparent to a user and/or automated tool on the endpoint.

The labeling of application instances and data elements may take intoaccount various factors, some of which may include:

-   -   the source of the data—whether the data is coming Internet,        removable media, internal network (e.g. Network File Shares, or        Intranet Download Portal), specific domain or IP address within        the network, pre-installed (“Golden Image”, i.e. the initial        configuration of a machine in the network that is installed as        the basis for new machines), update or self-update (an existing        application updating itself), user downloaded, email,        organizational software distribution system (e.g. Microsoft        System Center Configuration Manager), remote copy from one        computer to another (e.g. using C$—admin share);    -   accounts—that created the resource, that was logged on during        the creation, that modified or accessed the resource at any        time;    -   time—of each of previous operations;    -   creator of the application—vendor, internal group/user, etc.;    -   groups—relating the element to a group of similar elements, such        as by orig;    -   other features—digital signatures, “scanned by AV”, “released        from quarantine”, “reviewed by DLP” etc.;

Special case—external Reputation databases, Threat Detection systems(e.g. sandboxes)—Viewfinity integrated today with 2 Reputation databasesand 3 Threat Detection systems;

-   -   which applications are being associated with the data element,        for example which applications previously used, or attempted to        use the data element;    -   a communication protocol associated with a data element;    -   a communication protocol associated with an application;    -   other identification information associated with the user or        process involved in the session.

In some cases the same type of application (e.g. Internet Explorer) maybe used to access both the sensitive and the public resources. In suchcase the different instances of the same application may be separated.For example an Internet Explorer instance connected to a sensitivecorporate Intranet Server will be isolated from another InternetExplorer instance connected to the public Internet.

Exemplary Algorithms for File Origin (i.e. Application Source)

The following examples illustrate the types of information which may beincluded in application labels and in data element labels. As used inthe examples below the term “process” is used as an example of aninstance of an application and the term “file” is used as an example ofa data element.

A File Origin is attached to the application file (e.g. executable filelocated on the hard disk). When an application file is created, theprocess that is creating the application file and its run-time parentprocesses are analyzed. The File Origin based on this analysis isattached it to the application file. Once the application is launchedthe File Origin attached to the application file may be analyzed so asto apply the appropriate operational policy to the running process.

Information that may be included in the application label (e.g. of theprocess) includes but is not limited to:

1) Run-time Parents of a process: the hierarchy of the process'sparental processes;

2) Immediate Parent of a process: the Run-time Parent that creates theprocess.

Information that may be included in a data element label (e.g. of thefile) includes but is not limited to:

1) Immediate Parent of a file: the process that creates the file;

2) Create-time Parents of the file: the file's immediate parent and theRun-Time parents of the file's immediate parent. It is possible that afile does not have Create-time Parents (e.g. files which appeared on thedisk out of monitoring by a VF Agent).

3) Create-time Grandparents of the file: the Create-time Parents of thefile's Create-time Parents.

Optionally, information which is intended to be included in a label isanalyzed when the label is created, and possibly altered as a result ofthe analysis. For example, if a data element label includes too manyCreate-time Parents some of the Create-time Parents may be replaced orremoved as described in the example below.

Create-Time Parents Lists

When a file creation activity of a monitored type of file (e.g. EXE,MSI, etc.) is captured, information about the process that created thefile (i.e. the file's immediate parent) and about the run-time parentsis stored with the file in its Extended File Attributes (EA). ExtendedFile Attributes are file system features that enable users to associatecomputer files with metadata not interpreted by the file system. TheFile Origin XML is stored in Extended File Attributes attached to thefile.

The data element label includes the timestamp of the new file creationand properties of the file's immediate parent and the run time parentsof the immediate parent, such as:

a) For a regular process: full path, command line, publisher, product,etc.

b) For Windows Services: service name, full path, etc.

c) For MSI files: publisher, product, etc.

Some examples are:

A) for a File Downloaded by Manually Launched Update of a Product:

Timestamp Process File (Application File) Process Command Line2013-01-29 C:\WINDOWS\Explorer.EXE C:\WINDOWS\Explorer.EXE 12:05:12.3452013-01-29 D:\util\totalcmd\TOTALCMD.EXE “D:\util\totalcmd\TOTALCMD.EXE”12:05:12.345 2013-01-29 C:\WINDOWS\System32\WScript.exe“C:\WINDOWS\System32\WScript.exe” 12:05:12.345 “C:\ProgramFiles\vendor\product\update.vbs” 2013-01-29 C:\ProgramFiles\vendor\product\check_updates.exe check_updates.exe 12:05:12.345

B) For a File Written by a Service Synchronizing RSS Feeds (Attached toCustom_Feed.Msi):

Timestamp Process File (Application File) Process Command Line2013-01-30 C:\WINDOWS\System32\smss.exe \SystemRoot\System32\smss.exe11:49:00.865 2013-01-30 C:\WINDOWS\system32\winlogon.exe winlogon.exe11:49:00.865 2013-01-30 C:\WINDOWS\system32\services.exeC:\WINDOWS\system32\services.exe 11:49:00.865 2013-01-30C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost -kDcomLaunch 11:49:00.865 2013-01-30 C:\WINDOWS\system32\msfeedssync.exeC:\WINDOWS\system32\msfeedssync.exe sync 11:49:00.865

C) For a File Manually Copied File from CD (Attached to My_App.Exe):

Timestamp Process File (Application File) Process Command Line2013-01-30 C:\WINDOWS\Explorer.EXE C:\WINDOWS\Explorer.EXE 14:51:26.4502013-01-30 D:\util\totalcmd\TOTALCMD.EXE “D:\util\totalcmd\TOTALCMD.EXE”14:51:26.450

In order to optimize information included in the data element labeland/or application label (e.g. to shorten the list of processes) furtheranalysis and/or rules may be used such as:

1) Predefined helper lists of executable files:

-   -   List of executable files for which the file itself and all its        Run-time Parents should not be included in the label (e.g.        svchost.exe, services.exe, explorer.exe if it is not the        Immediate Parent of the process or file, etc.);    -   List of executable files which are included in the label but        their Run-time Parents should be ignored (e.g. explorer.exe if        it is the Immediate Parent of the process or file, all files of        parent type Internet, etc.);    -   List of executable files that should not be included in the        label but whose Run-time Parents should be included;    -   List of recognized script engines which should be replaced with        corresponding scripts.

2) For MSI installations—replacement of the correspondent executablefiles with the original MSI file.

Following are respective condensed lists obtained for the examplesabove:

A) for a File Downloaded by Manually Launched Update of a Product:

Timestamp Process File (Application File) Process Command Line2013-01-29 C:\Program Files\vendor\product\script.vbs“C:\WINDOWS\System32\WScript.exe” 12:05:12.345 “C:\ProgramFiles\vendor\product\update.vbs” 2013-01-29 C:\ProgramFiles\vendor\product\check_updates.exe check_updates.exe 12:05:12.345

B) For a File Written by a Service Synchronizing RSS Feeds (Attached toCustom_Feed.Msi):

Timestamp Process File (Application File) Process Command Line2013/30/01 C:\WINDOWS\system32\ C:\WINDOWS\system32\ 11:49:00.865msfeedssync.exe msfeedssync.exe sync

C) For a File Manually Copied File from CD (Attached to My_App.Exe):

Timestamp Process File (Application File) Process Command Line2013-01-30 D:\util\totalcmd\ “D:\util\totalcmd\ 14:51:26.450TOTALCMD.EXE TOTALCMD.EXE”

Optionally, if the list is too long then it is cut to have only N items(e.g. bottommost 10 items).

The resulting list is the newly created file's Create-time Parents.

Additional heuristics may be added, resulting in new categories ofCreate-time Parents, for example:

-   -   To recognize that a file was copied from an external (network        share, USB drive, etc.) location and to add the original        external file as the Immediate Parent of the newly created file.    -   To recognize that a file was copied from a local location (hard        drive) and to copy the original file's Parents/Grandparents to        the newly created file.    -   To recognize that a file was downloaded from Internet and to add        the original Parent recognized as “Internet” as an Immediate        Parent of the newly created file.    -   When a file is recognized as downloaded from Internet, to        identify the network address (e.g. URL) that originated the file        and to add the info about the URL to the file's “Internet”        Parent.

Create-Time Grandparents Lists

When a file is created, in order to recognize its principal origin it isoften necessary to take into account the parents of the file's parents(e.g. at time t₁ a program a.exe creates its own updater b.exe, at timet₂ b.exe downloads c.exe, which at time t₃ c.exe creates a new a.exe).In real operation much more complicated scenarios often occur.

This indicates that the Create-time Parents of each of the Create-timeParents of a newly created file, and all of their respective create-timeparents should be analyzed. Ideally, due to flexible definitions ofParent Types (e.g. addition/changing of custom Updaters) all these listsof lists of Parents should be kept forever, as theoretically any of themmay be useful for future better heuristics. However this may entailstoring a large amount of information along with the files or in acentralized data store.

Optionally, in addition to the shortening of the Create-time Parentsdescribed above the list of Create-time Grandparents is shortened aswell.

In one example, parent types are defined, where each parent type hasspecific properties associated with it. For example:

-   -   Internet: processes most likely creating files downloaded from        Internet (e.g. iexplore.exe, chrome.exe, ftp.exe, skype.exe,        icq.exe, etc.). In some cases the exact URL cannot be        identified, so the file origin of the file will be just        “Internet”. However, in most cases the URL or IP address is        known, so the file origin may include the URL or IP address.    -   Email: processes recognized as email clients (e.g. outlook.exe,        etc.). The sender email address, timestamp of the email, etc.        may accomplish this info.    -   Updater: processes recognized by either pre-defined or custom        parameters and most likely performing the only role of either        installing of new applications or updating some existing        applications (e.g. ccmrepair.exe, ccmexec.exe, jusched.exe,        etc.)    -   Local Share: process system, when its activity is recognized as        CIFS server (i.e. the file is created on the computer by a        remote CIFS client). Network address of the client, name of the        Shared Folder on the computer, etc. may accomplish this info.    -   Share: processes launched from a network share (e.g. \\Sry        \util\TotalCommander\totalcmd.exe,        \\Srv\install\Skype\skypesetup.exe, etc.)    -   Removable: processes launched from a removable storage like        diskettes, flash drives, etc. (e.g. F:\install.exe,        G:\hidden\virus.exe, etc.).    -   CDROM: processes launched from a removable optical storage like        CD/DVD/ etc. (e.g. F:\install.exe, G:\hidden\virus.exe, etc.).    -   Create-time Parents which are not a special type have a        “default” Parent Type (e.g. Local which usually reside on local        hard drives).

When a file creation of a monitored type (EXE, MSI, etc.) is captured,the list of its Create-time Parents is created (see above). Then foreach of the Create-time Parents its Create-time Parents and Create-timeGrandparents (if any) are copied into another list, then all Parents andGrandparents of the newly added list elements are added, and so forthuntil the desired level of detail is obtained.

For example the following list is built from 3 sub-lists(Parent/Grandparent lists of Parents/Grandparents):

1 t₁ 1.exe t₁ 2.msi t₁ 3.exe 2 t₂ 4.exe t₂ 5.exe 3 t₃ 6.exewhere (t₃>t₂>t₁)

After the list is completed, it is analyzed from bottom to top (i.e.from the “closest” file to the “farthest” file) in order to recognize a“special” parent type. If an entry matches several Parent Types, one ofthe matching types is taken according to the following precedence order:

1) Internet

2) Email

3) Updater

4) Local Share

5) Share

6) Removable

7) CDROM

E.g. file \\srv\util\ftp.exe will get Parent Type “Internet” and not“Share”.

The sub-list with the first “special” Parent Type found remains, allother sub-lists are removed. In case no “special” Parent Type found, thebottommost sub-list remains.

In the example above, if the file 4.exe is recognized as e.g. “Updater”,the resulting list will contain the sub-list 2, i.e. the files 4.exe and5.exe:

2 t₂ 4.exe Updater t₂ 5.exe

The resulting list is the newly created file's Create-time Grandparents.

Additional information which may be included the file's label includes:

-   -   Creator: The user who created the file;    -   Installation: for MSI files and for EXEs recognized by        heuristics;    -   Reputation: this information may be added to the label stored        when the reputation info becomes available (possibly later in        time than the file creation).

User Interface and Display

Some or all of the label information may be provided and/or displayed toa user via a user interface. The type and format of the labelinformation thus provided will vary based on the requirements of thespecific implementation.

The flowchart and block diagrams in the Figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods and computer program products according to variousembodiments of the present invention. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof code, which comprises one or more executable instructions forimplementing the specified logical function(s).

It should also be noted that, in some alternative implementations, thefunctions noted in the block may occur out of the order noted in thefigures. For example, two blocks shown in succession may, in fact, beexecuted substantially concurrently, or the blocks may sometimes beexecuted in the reverse order, depending upon the functionalityinvolved. It will also be noted that each block of the block diagramsand/or flowchart illustration, and combinations of blocks in the blockdiagrams and/or flowchart illustration, can be implemented by specialpurpose hardware-based systems that perform the specified functions oracts, or combinations of special purpose hardware and computerinstructions.

The descriptions of the various embodiments of the present inventionhave been presented for purposes of illustration, but are not intendedto be exhaustive or limited to the embodiments disclosed. Manymodifications and variations will be apparent to those of ordinary skillin the art without departing from the scope and spirit of the describedembodiments. The terminology used herein was chosen to best explain theprinciples of the embodiments, the practical application or technicalimprovement over technologies found in the marketplace, or to enableothers of ordinary skill in the art to understand the embodimentsdisclosed herein.

It is expected that during the life of a patent maturing from thisapplication many relevant applications, application instances, dataelements, operations, labels, operational policies and control actionswill be developed and the scope of the term application, applicationinstance, data element, operation, label, operational policy and controlaction is intended to include all such new technologies a priori.

The terms “comprises”, “comprising”, “includes”, “including”, “having”and their conjugates mean “including but not limited to”.

The term “consisting of” means “including and limited to”.

The term “consisting essentially of” means that the composition, methodor structure may include additional ingredients, steps and/or parts, butonly if the additional ingredients, steps and/or parts do not materiallyalter the basic and novel characteristics of the claimed composition,method or structure.

As used herein, the singular form “a”, “an” and “the” include pluralreferences unless the context clearly dictates otherwise. For example,the term “a compound” or “at least one compound” may include a pluralityof compounds, including mixtures thereof.

Throughout this application, various embodiments of this invention maybe presented in a range format. It should be understood that thedescription in range format is merely for convenience and brevity andshould not be construed as an inflexible limitation on the scope of theinvention. Accordingly, the description of a range should be consideredto have specifically disclosed all the possible subranges as well asindividual numerical values within that range. For example, descriptionof a range such as from 1 to 6 should be considered to have specificallydisclosed subranges such as from 1 to 3, from 1 to 4, from 1 to 5, from2 to 4, from 2 to 6, from 3 to 6 etc., as well as individual numberswithin that range, for example, 1, 2, 3, 4, 5, and 6. This appliesregardless of the breadth of the range.

Whenever a numerical range is indicated herein, it is meant to includeany cited numeral (fractional or integral) within the indicated range.The phrases “ranging/ranges between” a first indicate number and asecond indicate number and “ranging/ranges from” a first indicate number“to” a second indicate number are used herein interchangeably and aremeant to include the first and second indicated numbers and all thefractional and integral numerals therebetween.

It is appreciated that certain features of the invention, which are, forclarity, described in the context of separate embodiments, may also beprovided in combination in a single embodiment. Conversely, variousfeatures of the invention, which are, for brevity, described in thecontext of a single embodiment, may also be provided separately or inany suitable subcombination or as suitable in any other describedembodiment of the invention. Certain features described in the contextof various embodiments are not to be considered essential features ofthose embodiments, unless the embodiment is inoperative without thoseelements.

Although the invention has been described in conjunction with specificembodiments thereof, it is evident that many alternatives, modificationsand variations will be apparent to those skilled in the art.Accordingly, it is intended to embrace all such alternatives,modifications and variations that fall within the spirit and broad scopeof the appended claims.

All publications, patents and patent applications mentioned in thisspecification are herein incorporated in their entirety by referenceinto the specification, to the same extent as if each individualpublication, patent or patent application was specifically andindividually indicated to be incorporated herein by reference. Inaddition, citation or identification of any reference in thisapplication shall not be construed as an admission that such referenceis available as prior art to the present invention. To the extent thatsection headings are used, they should not be construed as necessarilylimiting.

What is claimed is:
 1. A method for controlling application operationson data elements, comprising: executing, by at least one hardwareprocessor, program instructions to: identify an activity by an instanceof an application running on a host to perform an operation associatedwith a data element; obtain an application label comprising informationregarding said instance of said application; obtain a data element labelcomprising information regarding said data element; determine anoperational policy based on a combined analysis of at least saidapplication label and said data element label, said operational policygoverning the operation of said instance of said application withrespect to said data element; and apply a control action to saidoperation according to said operational policy, so as to control saidoperation by said instance of said application with respect to said dataelement.
 2. A method according to claim 1, wherein said identifying saidactivity by said instance of said running application comprisesintercepting an attempt by said instance of said application to accesssaid data element.
 3. A method according to claim 1, wherein saidobtaining an application label comprises: communicating with a resourceassociated with said instance of said application; receiving informationabout said instance of said application from said resource; and definingsaid application label based on said received information.
 4. A methodaccording to claim 1, wherein said applying said control actioncomprises restricting an ability of said instance of said application toperform said operation on said data element.
 5. A method according toclaim 1, wherein said applying said control action comprises controllingaccess by said instance of said application to said data element.
 6. Amethod according to claim 1, wherein said applying said control actioncomprises dynamically monitoring operations performed by said instanceof said application on said data element to identify violations of saidoperational policy.
 7. A method according to claim 1, wherein saidapplying said control action comprises collecting audit data foroperations performed by said instance of said application on said dataelement.
 8. A method according to claim 1, wherein said applying saidcontrol action comprises at least one of: isolating said host fromaccessing a network; and isolating said host from being accessible overa network.
 9. A method according to claim 1, further comprising: upondetermining that credentials are required for performing said operation,obtaining, based on said operational policy, corresponding credentialsfor performing said operation; and providing said correspondingcredentials to said instance of said application.
 10. A method accordingto claim 1, wherein said data element label comprises an aggregation ofinformation regarding a plurality of data elements.
 11. A methodaccording to claim 1, wherein said application label comprises anaggregation of at least one of: information regarding a plurality ofapplications and information regarding a plurality of instances of saidapplication.
 12. A method according to claim 1, wherein said obtainingof said application label is performed before said obtaining of saiddata element label.
 13. A method according to claim 1, wherein saidobtaining of said application label is performed simultaneously withsaid obtaining of said data element label.
 14. A system configured forcontrolling application operations on data elements, comprising: atleast one non-transitory computer readable storage medium storinginstructions; and at least one processor configured to execute saidinstructions to: identify an activity by an instance of an applicationrunning on a host to perform an operation associated with a dataelement; obtain an application label comprising information regardingsaid application; obtain a data element label comprising informationregarding said data element; determine, based on a combined analysis ofat least said data element label and said application label, anoperational policy governing the operation of said instance of saidapplication with respect to said data element; and apply, according tosaid operational policy, a control action to said operation, so as tocontrol said operation by said instance of said application on said dataelement.
 15. A system according to claim 14, wherein said at least oneprocessor is further configured to execute instructions to dynamicallyupdate at least one of said data element label and said applicationlabel.
 16. A system according to claim 14, wherein said at least oneprocessor is further configured to execute instructions to label otherdata elements associated with said application.
 17. A system accordingto claim 14, wherein said system resides on one of: said host; anendpoint machine; a plurality of endpoint machines; a local serveraccessible via a local network; a remote server accessible via anexternal network; at least one cloud-based asset.
 18. A system accordingto claim 14, wherein said data element resides in one of: a local memoryof said host; a local storage unit accessible via a local network; and aremote storage unit accessible via a remote network.
 19. A systemaccording to claim 14, wherein said at least one processor is furtherconfigured to execute instructions to: upon determining that credentialsare required for performing said operation, obtain, based on saidoperational policy, corresponding credentials for performing saidoperation; and provide said corresponding credentials to said instanceof said application.
 20. A system according to claim 14, wherein saiddata element label comprises an aggregation of information regarding aplurality of data elements.
 21. A system according to claim 14, whereinsaid application label comprises an aggregation of information regardinga plurality of applications.
 22. A system according to claim 14, whereinsaid at least one processor is further configured to executeinstructions to control, according to said operational policy, at leastone member from the group consisting of: subsequent operations of saidinstance of said application and operations of at least one otherinstance of said application.
 23. A method for controlling untrustedapplications in a system environment, comprising: executing, by at leastone hardware processor, program instructions to: identify an activity byan instance of an application running on a host to perform an operationassociated with a server; obtain an application label comprisinginformation regarding said instance of said application; determine anoperational policy based a combined analysis of at least saidapplication label and information pertaining to said server, saidoperational policy governing the use and operation of said instance ofsaid application with respect to said server; and apply a control actionto said operation according to said operational policy, so as to controlsaid operation by said instance of said application with respect to saidserver.
 24. A method according to claim 23, wherein said identifyingsaid activity by said instance of said running application comprisesintercepting an attempt by said instance of said running application toaccess said server.
 25. A method according to claim 23, wherein saidobtaining an application label comprises: communicating with a resourceassociated with said instance of said application; receiving informationabout said instance of said application from said resource; and definingsaid application label based on said received information.
 26. A methodaccording to claim 23, wherein said applying said control actioncomprises restricting an ability of said instance of said application toperform said operation on said server.
 27. A method according to claim23, wherein said applying said control action comprises controllingcommunication between said instance of said application and said server.28. A method according to claim 23, wherein said applying said controlaction comprises dynamically monitoring operations performed by saidinstance of said application with respect to said server to identifyviolations of said operational policy.
 29. A method according to claim23, wherein said applying said control action comprises collecting auditdata for operations performed by said instance of said application withrespect to said server.
 30. A method according to claim 23, wherein saidinformation pertaining to said server comprises at least one of: anInternet Protocol (IP) address associated with said server; a UniformResource Locator (URL) address associated with said server; a portassociated with said server; a host name associated with said server;and a communication protocol associated with said server.
 31. A methodaccording to claim 23, further comprising: upon determining thatcredentials are required for performing said operation, obtaining, basedon said operational policy, corresponding credentials for performingsaid operation; and providing said corresponding credentials to saidinstance of said application.
 32. A method according to claim 23,wherein said application label comprises an aggregation of at least oneof: information regarding a plurality of applications, and informationregarding a plurality of instances of said application.
 33. A methodaccording to claim 23, further comprising creating a server labelcomprising at least some of said information pertaining to said server,and wherein said determining an operational policy comprises a combinedanalysis of at least said application label and said server label.
 34. Asystem configured for controlling untrusted applications in a systemenvironment, comprising: at least one non-transitory computer readablestorage medium storing instructions; and at least one processorconfigured to execute said instructions to: identify an activity by aninstance of an application running on a host to perform an operationassociated with a server; obtain an application label comprisinginformation regarding said instance of said application; determine anoperational policy based a combined analysis of at least saidapplication label and information pertaining to said server, saidoperational policy governing the operation of said instance of saidapplication with respect to said server; and apply a control action tosaid operation according to said operational policy, so as to controlsaid operation by said instance of said application with respect to saidserver.
 35. A system according to claim 34, wherein said at least oneprocessor is further configured to execute instructions to dynamicallyupdate at least one of said information pertaining to said server andsaid application label.
 36. A system according to claim 34, wherein saidat least one processor is further configured to execute instructions to:upon determining that credentials are required for performing saidoperation, obtain, based on said operational policy, correspondingcredentials for performing said operation; and provide saidcorresponding credentials to said instance of said application.
 37. Asystem according to claim 34, wherein said application label comprisesan aggregation of at least one of: information regarding a plurality ofapplications, and information regarding a plurality of instances of saidapplication.
 38. A system according to claim 34, wherein said at leastone processor is further configured to execute instructions to control,according to said operational policy, at least one member from the groupconsisting of: subsequent operations of said instance of saidapplication and operations of at least one other instance of saidapplication.